Create a security policy to determine when to use the authentication and encryption parameters set in a security association.

You can add a security policy using the esxcli vSphere CLI command.

Before creating a security policy, add a security association with the appropriate authentication and encryption parameters as described in Add a Security Association.

At the command prompt, enter the command esxcli network ip ipsec sp add with one or more of the following options.



--sp-source= source address

Required. Specify the source IP address and prefix length.

--sp-destination= destination address

Required. Specify the destination address and prefix length.

--source-port= port

Required. Specify the source port. The source port must be a number between 0 and 65535.

--destination-port= port

Required. Specify the destination port. The source port must be a number between 0 and 65535.

--upper-layer-protocol= protocol

Specify the upper layer protocol using one of the following parameters.





--flow-direction= direction

Specify the direction in which you want to monitor traffic using either in or out.

--action= action

Specify the action to take when traffic with the specified parameters is encountered using one of the following parameters.

none: Take no action

discard: Do not allow data in or out.

ipsec: Use the authentication and encryption information supplied in the security association to determine whether the data comes from a trusted source.

--sp-mode= mode

Specify the mode, either tunnel or transport.

--sa-name=security association name

Required. Provide the name of the security association for the security policy to use.


Required. Provide a name for the security policy.

The following example includes extra line breaks for readability.

esxcli network ip ipsec add